Solved

App Locker Path Exception issue

Posted on 2013-11-05
2
2,267 Views
Last Modified: 2013-11-05
I'm using App Locker to secure my workstations, primarily as an anti-malware step, and it works very well.

I now have a new piece of software, that upon login, copies a batch file to the users %TEMP% directory, and runs it.

Of course, that's one of the directories that I have prevented batch files from running, so now I'm trying to allow just this batch file to run, as I know it is known good.  I cannot change the location where this batch file runs, the software maker does not allow for that type of modification.

Oh, and to just make it slightly harder, when the software copies the batch file to the TEMP dir, it uses a new file name every time (however there is a consistent file naming convention, so I'm hoping to use that to key in on this)

Here is what I've done.  I create an App Locker script deny rule, that denies scripts from running from this directory:

%OSDRIVE%\Users\*\AppData\Local\Temp\*

That works beautifully.  No batch files (or any other scripts) can run.

Next step, allow all batch files by putting in this exception:

%OSDRIVE%\Users\*\AppData\Local\Temp\*.bat

That also works perfectly.  All batch files can run, but no other scripts.

Last step is to pin it down to only the known good batch files, that get copied upon login.  The batch files are always named like this:  "ABC12ws.bat" or "ABCh42s.bat".  The common thread is they always start with "ABC" then followed by 4 randomly generated characters, then the .bat.

So I thought I could easily modify my exception like this:

%OSDRIVE%\Users\*\AppData\Local\Temp\ABC*.bat

Unfortunately, for some reason, that allows all batch files to still be run.  My guess is it sees the wildcard, and just ignores the fact that I have 3 characters preceding it.

Is there a way I can put in an exception to my path rule, that will let me run batch files that use the name ABCxxxx.bat but block all other batch files?

Thanks
0
Comment
Question by:Vjz1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 

Accepted Solution

by:
Vjz1 earned 0 total points
ID: 39625045
I've resolved this on my own guys.

While the file name exactly is "Abc1234.bat" App Locker interprets the name to be "ABC1234.bat"  I know this because I looked at the event log on the workstation and saw the block entry.

Once I changed my rule to use "ABC*.bat" as the exception, instead of "Abc*.bat' everything works perfectly.
0
 

Author Closing Comment

by:Vjz1
ID: 39625047
I resolved the issue on my own.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question